Last week at ten hours notice I was asked to speak at a major conference on security and resilience (I’m not proud – I knew I was standing in for another speaker who had dropped out at the last moment). One of the topics that came up was the importance of small and medium-sized businesses in the supply chains of parts of the critical national infrastructure and the fact that such businesses are often likely to be less well-protected in terms of cyber security. The consensus view was that more needed to be done to encourage and support such businesses to adopt better security.
I raised the issue again this morning at a private briefing given by Melissa Hathaway, the former Senior Director for Cyberspace for the US National Security and Homeland Security Councils. She agreed with my concerns on the matter, but then took my breath away by referring to a current case working its way through the US Courts (which I had not previously heard about) where a bank is suing a company for not having adequate internet security in connecting to the bank for internet banking purposes.
What seems to have happened is this:
In early November 2009, cyber thieves initiated a series of unauthorized wire transfers totaling $801,495 out of the account of Hillary Machinery, a Texas-based machine equipment company. The bank, PlainsCapital, managed to retrieve roughly $600,000 of that money, but are now suing the company for the balance on the basis that the bank had processed the transfers in good faith. Apparently, the fraudulent transactions were initiated using Hillary’s valid online banking credentials.
It would appear that the transfers were initiated from computers in Romania and Italy, among others, and sent to accounts in Ukraine, Russia and other Eastern European nations – allegedly using credentials stolen from the computers of Hillary Machinery.
No doubt, this case will make some businesses think twice about whether their own internet security is good enough. It may also make them think twice about using internet banking.
However, there has to be a better way of ensuring that businesses improve their own security without the banks resorting to suing their customers.